News Feature | August 28, 2014

BadUSB Forecasts USB Security Problems

Christine Kern

By Christine Kern, contributing writer

USB Drive

The security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry; it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell presented at the Black Hat USA 2014 conference in Las Vegas, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken.

The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s Internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. “These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB is designed.”

“In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer,” Nohl explained.

Nohl and Lell are hardly the first to point out that USB devices can store and spread malware. They spent months reverse engineering the firmware that runs the basic communication functions of USB devices — the controller chips that allow the devices to communicate with a PC and let users move files on and off of them. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code.

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

The problem isn’t limited to thumb drives. All USB devices from a keyboard and a mouse to a smartphone have firmware that can be reprogrammed, and once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. “If you put anything into your USB (slot), it extends a lot of trust,” Nohl said. “Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It’s the equivalent of (saying) ‘here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil.’”

The malware can silently hijack Internet traffic too, changing a computer’s domain name systems (DNS) settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an Internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa.

Matt Blaze, University of Pennsylvania computer science professor, points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine.